With the coming of a mobile broadband era, users need to use broadband access services anywhere and anytime, which raises higher requirements, such as a higher transmission rate, smaller delay, and higher system capacity, for a mobile communications network. To maintain the advantages of 3GPP networks, the 3GPP standards organization launched research and standardization work of an SAE (system architecture evolution) plan and defined a new mobile communications network framework that is referred to as an evolved packet system EPS (evolved packet system) at the end of 2004. With the trend of convergence and unification of core networks, the 3GPP also provides a possibility of access to a core network EPC (Evolved Packet Core, core part of the evolved packet system) of the EPS system by using a non-3GPP access network, for example, WLAN, WiMAX, and the like, to access the EPC.
An S2c interface uses the DSMIPv6 (Dual Stack Mobile IPv6) protocol and can be used to access an EPS network by using a trusted non-3GPP access network, an untrusted non-3GPP access network, or a 3GPP access network. When a UE (user equipment) accesses the EPC by using a non-3GPP access network via the S2c interface, an SA (security association) is established between the UE and a PDN-GW (packet data gateway, also PGW for short) to protect DSMIPv6 signaling. When the UE accesses the EPC via the S2c interface, the PDN-GW transmits authentication and authorization request and response messages via an S6b interface between the PDN-GW and an AAA (authentication, authorization and accounting) server, so that the PDN-GW completes authentication and authorization for the UE and obtains information such as a mobility parameter and subscription data from the AAA server. Certainly, in a roaming scenario, an AAA agent further needs to be passed between the PDN-GW and the AAA server.
When the UE accesses the EPC by using a trusted non-3GPP access network via the S2c interface, the 3GPP defines that after a DSMIPv6 tunnel is established between the UE and the PDN-GW, a security association SA is established between the UE and the PDN-GW to protect DSMIPv6 signaling, and the PDN-GW may initiate establishment of a child security association Child SA (child security association) to the UE to protect a data plane; however, when the UE accesses the EPC by using an untrusted non-3GPP access network, an IPSec security channel is established between the UE and a non-3GPP access gateway ePDG (evolved packet data gateway), and security protection is performed for a data packet between the UE and the PDN-GW by using the IPSec security channel. That is, when the UE accesses the EPS by using a non-3GPP network in a trusted manner, a child SA may be established on an S2c tunnel to protect integrity and confidentiality of the data plane; when the UE accesses the EPS by using a non-3GPP network in an untrusted manner, the IPSec security channel between the UE and the ePDG provides integrity protection and confidentiality protection for data; and when the UE accesses the EPC by using a 3GPP access network via the S2c interface, data security protection between the UE and the PDN-GW is provided by using an authentication encryption mechanism of the 3GPP itself. Therefore, when the UE accesses the EPC via the S2c interface, the PDN-GW needs to distinguish whether an access scenario is access by using a trusted non-3GPP access network, access by using an untrusted non-3GPP access network, or access by using a 3GPP access network, and completes an establishment or update procedure of a different data security channel.
When the UE accesses the EPC by using a 3GPP access network, a security association SA may be first established between the UE and the PDN-GW, so as to save time for SA establishment after a subsequent handover to access by using a non-3GPP access network. When the UE hands over from the non-3GPP access network to a 3GPP access network, the security association SA between the UE and the PDN-GW may also not be released immediately; instead, the SA is retained for a period of time and is automatically released in the case of an SA timeout. In this case, when the UE hands over between a trusted non-3GPP access network, an untrusted non-3GPP access network, and a 3GPP access network and accesses the EPC via the S2c interface, an SA may already exist; however, a trust relationship of an access network obtained by the PDN-GW at that time during previous SA establishment, that is, information about whether the access network at that time is trusted or untrusted non-3GPP access or 3GPP access, may not be consistent with a trust relationship of a current access network. Therefore, a data security channel needs to be established or updated according to an access scenario after a handover.
As described above, when the UE hands over between a trusted non-3GPP access network, a 3GPP access network, and an untrusted non-3GPP access network and accesses the EPC via the S2c interface, the PDN-GW needs to distinguish an access scenario, so as to complete establishment or update of a data security channel in a different manner. However, the PDN-GW cannot determine a current access manner of the UE and therefore cannot correctly establish or update the data security channel.